1 # $OpenBSD: krl.sh,v 1.6 2015/01/30 01:11:39 djm Exp $
2 # Placed in the Public Domain.
4 tid="key revocation lists"
6 # If we don't support ecdsa keys then this tell will be much slower.
8 if test "x$TEST_SSH_ECC" != "xyes"; then
12 # Do most testing with ssh-keygen; it uses the same verification code as sshd.
14 # Old keys will interfere with ssh-keygen.
15 rm -f $OBJ/revoked-* $OBJ/krl-*
18 $SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null ||
19 fatal "$SSHKEYGEN CA failed"
20 $SSHKEYGEN -t ed25519 -f $OBJ/revoked-ca2 -C "" -N "" > /dev/null ||
21 fatal "$SSHKEYGEN CA2 failed"
23 # A specification that revokes some certificates by serial numbers
24 # The serial pattern is chosen to ensure the KRL includes list, range and
26 cat << EOF >> $OBJ/revoked-serials
33 # The following sum to 500-799
42 # Some multiple consecutive serial number ranges
47 # A specification that revokes some certificated by key ID.
48 touch $OBJ/revoked-keyid
49 for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
50 test "x$n" = "x499" && continue
51 # Fill in by-ID revocation spec.
52 echo "id: revoked $n" >> $OBJ/revoked-keyid
57 f=$OBJ/revoked-`printf "%04d" $N`
58 # Vary the keytype. We use mostly ECDSA since this is fastest by far.
61 2 | 10 | 510 | 1001) keytype=rsa;;
62 4 | 30 | 520 | 1002) keytype=ed25519;;
64 $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
65 || fatal "$SSHKEYGEN failed"
67 $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
68 || fatal "$SSHKEYGEN sign failed"
73 verbose "$tid: generating test keys"
74 REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
75 for n in $REVOKED_SERIALS ; do
77 RKEYS="$RKEYS ${f}.pub"
78 RCERTS="$RCERTS ${f}-cert.pub"
80 UNREVOKED_SERIALS="5 9 14 16 29 49 51 499 800 1010 1011"
82 for n in $UNREVOKED_SERIALS ; do
84 UKEYS="$UKEYS ${f}.pub"
85 UCERTS="$UCERTS ${f}-cert.pub"
90 $SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
91 >/dev/null || fatal "$SSHKEYGEN KRL failed"
92 $SSHKEYGEN $OPTS -kf $OBJ/krl-keys $RKEYS \
93 >/dev/null || fatal "$SSHKEYGEN KRL failed"
94 $SSHKEYGEN $OPTS -kf $OBJ/krl-cert $RCERTS \
95 >/dev/null || fatal "$SSHKEYGEN KRL failed"
96 $SSHKEYGEN $OPTS -kf $OBJ/krl-all $RKEYS $RCERTS \
97 >/dev/null || fatal "$SSHKEYGEN KRL failed"
98 $SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
99 >/dev/null || fatal "$SSHKEYGEN KRL failed"
100 # This should fail as KRLs from serial/key-id spec need the CA specified.
101 $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
102 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
103 $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
104 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
105 # These should succeed; they specify an explicit CA key.
106 $SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca \
107 $OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
108 $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub \
109 $OBJ/revoked-keyid >/dev/null || fatal "$SSHKEYGEN KRL failed"
110 # These should succeed; they specify an wildcard CA key.
111 $SSHKEYGEN $OPTS -kf $OBJ/krl-serial-wild -s NONE $OBJ/revoked-serials \
112 >/dev/null || fatal "$SSHKEYGEN KRL failed"
113 $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid-wild -s NONE $OBJ/revoked-keyid \
114 >/dev/null || fatal "$SSHKEYGEN KRL failed"
115 # Revoke the same serials with the second CA key to ensure a multi-CA
117 $SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \
118 $OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed"
121 ## XXX dump with trace and grep for set cert serials
122 ## XXX test ranges near (u64)-1, etc.
124 verbose "$tid: generating KRLs"
132 $SSHKEYGEN -Qf $KRL $KEY >/dev/null
134 if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
135 fatal "key $KEY not revoked by KRL $KRL: $TAG"
136 elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
137 fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
151 verbose "$tid: checking revocations for $TAG"
153 check_krl $f $OBJ/krl-empty no "$TAG"
154 check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
155 check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
156 check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
157 check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
158 check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
159 check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
160 check_krl $f $OBJ/krl-serial-wild $SERIAL_WRESULT "$TAG"
161 check_krl $f $OBJ/krl-keyid-wild $KEYID_WRESULT "$TAG"
167 # keys all sr# k.ID cert CA sr.# k.ID
168 test_rev "$RKEYS" "revoked keys" yes yes no no no no no no
169 test_rev "$UKEYS" "unrevoked keys" no no no no no no no no
170 test_rev "$RCERTS" "revoked certs" yes yes yes yes yes yes yes yes
171 test_rev "$UCERTS" "unrevoked certs" no no no no no yes no no
176 # Check update. Results should be identical.
177 verbose "$tid: testing KRL update"
178 for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
179 $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid \
180 $OBJ/krl-serial-wild $OBJ/krl-keyid-wild; do
181 cp -f $OBJ/krl-empty $f